Java Hardcoded Password Authentication
Description
Detects when hardcoded password strings are used to create Java PasswordAuthentication objects. Using hardcoded credentials in source code is a security risk as they can be exposed through source code access and cannot be easily rotated.
Detection Strategy
• Checks if java.net.PasswordAuthentication class is imported in the code
• Identifies PasswordAuthentication constructor calls in the code
• Analyzes if the password parameter passed to the constructor is a hardcoded string value
• Reports a vulnerability when a PasswordAuthentication object is created with a hardcoded password string
Vulnerable code example
import java.net.PasswordAuthentication;
public class VulnerableExample {
public void authenticate() {
// Vulnerable: Hardcoded credentials in PasswordAuthentication constructor
PasswordAuthentication auth = new PasswordAuthentication("admin", "secret123".toCharArray());
// Vulnerable: Direct string password in constructor...✅ Secure code example
import java.net.PasswordAuthentication;
import java.util.Scanner;
import java.io.Console;
public class SecureExample {
public PasswordAuthentication authenticate() {
// Safe: Get credentials from environment variables or secure input
String username = System.getenv("APP_USERNAME");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.